UK Edition
Hospitals under threat as hackers exploit coronavirus to carry out cyber attacks
Security experts warn that global concern over coronavirus risks creating a fertile hunting ground for cybercriminals
As healthcare workers on the front line are coping with a wave of patients stricken by coronavirus, a different kind of virus is waiting for the opportune moment to wreak havoc.
A staff member who clicks on a link in an urgent-looking email from what appears to be the World Health Organisation could allow hackers to infiltrate entire networks of hospitals and NHS trusts, stealing crucial files and holding hospitals, whose priority is keeping patients alive, to ransom.
Organised criminals, aware of the inflated prices they can demand to unlock files in troubling times, are poised to send out more campaigns against individuals than ever, in the hope that just one worker will open a bad link.
“The Covid-19 outbreak represents a ready-made pretext for cyber criminals to socially engineer,” says Andy Riley, executive director at Nuspire, which provides cyber security for health companies.
“It is the perfect time to hold an organisation that is already overtaxed with patient flow and uncertainty to ransom,” he adds.
In times of an outbreak, health workers are likely to be expecting important information and may click on links or open attachments that they would normally be more careful about.
This pretext is what opens hospitals or local government departments up to phishing or social engineering attacks. Once the malware is on the system, it could locate and encrypt, or temporarily hold, crucial files that cause outages impacting clinical staff.
Experts say hospitals face two different risks: Attacks targetted at them in the hope that they’re more likely to pay up than normal, and getting caught in the crossfire of widespread cyberattacks which pursue hundreds of thousands of targets.
The cybrattacks are already beginning to happen. On March 15, the US Department of Health and Social Science was struck with a cyberattack that knocked its services offline.
Just days before, a hospital in the Czech Republic which is responsible for processing coronavirus tests said it had suffered a cyberattack.
University Hospital Brno wrote on Twitter: “Basic operation has been preserved, some computer systems are limited. Planned operations are postponed.”
Some experts believe these early attacks were collateral damage rather than someone specifically targetting healthcare providers.
“I suspect some of these early ones are just a blunderbuss approach and unfortunately somebody may have clicked on the wrong link in an email and whoosh, it's round the whole system,” says Alan Woodward, a cybersecurity professor at the University of Surrey.
There are also signs that cyberattacks taking advantage of coronavirus may be coming from government-backed hacking groups, rather than cybercriminals looking to make money.
Research into the rise of coronavirus-related cyberattacks carried out by cybersecurity business Recorded Future showed that attacks began in January before escalating in February.
Lindsay Kaye from Recorded Future said there are indications that countries including Iran, North Korea, China and Russia are carrying out coronavirus-themed cyberattack campaigns.
It certainly wouldn’t be the first time that other countries have carefully timed forays into our national infrastructure.
Russian hackers sneaked into parts of the UK’s power grid in 2017 while people were preoccupied with heading to the polls to vote in the General Election. They managed to smuggle out crucial information on how the grid functions, including passwords and documents.
The NHS may have smartened up its security after it was struck down by the WannaCry malware in 2017 which saw operations suspended and NHS trusts reduced to pen and paper. But it is under attack again, says Tim Mackey, principal security strategist at Synopsys.
“Every single NHS trust is under almost daily attacks from a variety of sources, whether they are targeted or not,” he says.
Public Health England and the channels necessary to communicate crucial coronavirus information to the public are at the highest risk, Mackey says.
“The organisation that worries me most is the organisation that is supposed to have the public’s primary trust,” he says.
Imagine a scenario where someone gains access to Public Health England or the NHS’s Twitter account.
In times where people are already panicking, putting a message out that Covid-19 deaths have spiked and one million are at risk could cause “all kinds of madness,” he says.
Those who work in cyber security are, by nature, fluent in worst case scenarios. The best protection is working out the most damaging hypothetical situation and preparing for it.
But even in a business where hyperbole is welcomed, experts are truly concerned about how criminals and nation states will capitalise on coronavirus.
Researchers observed cybercriminals preparing for future attacks as far back as January when they bought web domains that are almost identical to those used by the World Health Organisation or the Centre for Disease Control and Prevention.
It is these domains that can be used to lure the unsuspecting into clicking on bad links.
The promotion of working from home for many non-essential jobs which recently went into effect in the UK and US may also undo investments made by IT departments to limit the cyber threat.
Teleworking and using personal devices are of particular concern and many departments have now adopted split workforces, where teams are split in half. A missed phone call or email could be a crucial gap in the IT department’s armour.
It’s a risk which security services are well aware of. The National Cyber Security Centre, a division of spy agency GCHQ, published a blog post on Tuesday warning of an increased risk of cybersecurity problems if people are working from home using their own devices.
Working from home “presents new cyber security challenges that must be managed,” it warned.
On the frontline, health services may shift to opening triage in car-parks or local buildings as the outbreak continues, meaning that staff are more likely to click on bad links if set up to work on their phones.
Mackey is optimistic. “I'm not overly worried about someone sitting in an emergency and then seeing the physician's laptop no longer works. The physician is still a physician.”
The vulnerabilities are there for a hacker to exploit but the question is, in times of a worldwide crisis, would they really stoop so low?
“There’s a special place in hell reserved for people who do that kind of profiteering,” says Sam Curry, executive director of Cybereason. “This is a crime against humanity.”
That said, he “would never put it past people”.
Hospitals and healthcare services are not just more of a target now, they are just “more valuable targets,” he adds. “If you are a bad guy doing the cold hard calculus of hacking and the chances that you can make money, then you know that the more pain you inflict the bigger that payment is going to be.”
This means that criminals may be more likely to target private research institutions who can hand over substantially larger ransom payments, because if they are hacked then millions of lives are at risk.
Doctors are divided on how long coronavirus will last, but cybersecurity experts all agree that the urgency of the healthcare crisis could lead to a worrying goldrush for cybercriminals.
Kaye, the researcher tracking the spread of coronavirus-related hacks, warns that these incidents are likely to continue for the foreseeable future.
“This is a very opportunistic thing,” she says, “as long as there is relevance in the news, it will offer an opportunity.”